Cluster security

I just set up my new 2-node cluster + 1 Galera Arbitrator and found out that anyone can join the cluster, without knowing the ‘wsrep_sst_auth’ credentials.
To test this I set up a 4th node which is not in any of the other nodes’ ‘wsrep_cluster_address’, but it does know the correct ‘wsrep_cluster_name’.

Is this a feature I can only block by firewall, or did I forget to configure security?

The wsrep_sst_auth is actually used on the donor’s side, locally, by the SST script, not from the joiner.
Firewall is always a good practice, and running PXC inter-communication limited to a private IP network another one.
In addition, you may use SSL for Galera traffic, as demonstrated here:
see also the documentation:

Thanks for your reply!
So there’s no real security built-in, everyone can join the cluster as long as the network allows it?

By default it’s not enabled indeed, but don’t you consider the wsrep_provider socket.ssl_* options as built-in security options?

SSL is fine ofcourse, but it does not manage who is allowed to connect to the cluster and sync all data.
Right now, without a firewall, any host can connect to my cluster and it will sync all our data to that server.

Can you confirm that this is the case?

Without a firewall and no SSL, anyone who knows the correct port can join the cluster (and receive the SST).

With SSL (in Galera and for encrypt=2 or encrypt=4 in the SST), PXC will perform certificate validation against the CA file. Thus only those certificates generated from the specified CA file will be allowed to connect (authorization).

Galera, in general, views the cluster as a single entity (thus expects all nodes to hold the same SSL CA/certs/keys). So the possession of those CA/certs/keys authorizes the node as a member of the cluster (and thus allows them access to the SST).

Thanks Kenn!